Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change var folder of Splunk to another partition

sigma
Path Finder
‎02-24-2024 10:15 AM

Hi,

I installed Splunk in a linux server on /opt/splunk. The server has two disks, one 50 GB (sdb1) and another 6 TB (sda1). I want to save /opt/splunk/var  folder (and all of its contents) of Splunk to /splunk/var (sda1) which second huge partition is mounted.

Actually I want to separate etc and var in case of partition. etc remain on sdb1 and var be in sda1.

I need a detailed solution
Thanks

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-24-2024 10:51 PM

Hi @sigma ,

as @richgalloway said, on Linux usually Splunk is installed on /opt and it's a best practice to ha file system separated from root and this location is configured in an enviromental variable called %SPLUNK_HOME.

For data it's possible to setup a variable (called $SPLUNK_DB) that indicates the location of the file system containing the data folders. not the $SPLUNK_HOME/var folder, that's a best practice to set up in a different and larger file system.

So you can go in $SPLUNK_HOME/etc/splunk-launch.conf and configure $SPLUNK_HOME variable for your system.

Obviously this action is only for Indexers or stand-alone Splunk systems, not for the other roles.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-24-2024 10:51 PM

Hi @sigma ,

as @richgalloway said, on Linux usually Splunk is installed on /opt and it's a best practice to ha file system separated from root and this location is configured in an enviromental variable called %SPLUNK_HOME.

For data it's possible to setup a variable (called $SPLUNK_DB) that indicates the location of the file system containing the data folders. not the $SPLUNK_HOME/var folder, that's a best practice to set up in a different and larger file system.

So you can go in $SPLUNK_HOME/etc/splunk-launch.conf and configure $SPLUNK_HOME variable for your system.

Obviously this action is only for Indexers or stand-alone Splunk systems, not for the other roles.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-24-2024 11:09 AM

Splunk has provision for two mount points: $SPLUNK_HOME (/opt/splunk, by default) and $SPLUNK_DB (/opt/splunk/var/run/splunk by default).  Breaking the file system at other points is possible using links, but doing so is uncommon and not without risks.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...